package parity.independent;

import integration.rbacapi.api.v1.LookupTest;
import io.confluent.kafka.test.cluster.EmbeddedKafkaCluster;
import io.confluent.kafka.test.utils.KafkaTestUtils;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.retrofit.v2.V2RbacRestApi;
import io.confluent.rbacapi.retrofit.v2.V2RbacRetrofitFactory;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.security.test.utils.User;
import java.util.Collections;
import java.util.Map;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import kafka.server.KafkaConfig$;
import kafka.server.KafkaServer;
import org.apache.kafka.clients.admin.AdminClient;
import org.apache.kafka.clients.admin.Config;
import org.apache.kafka.clients.admin.ConfigEntry;
import org.apache.kafka.common.config.ConfigResource;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.hamcrest.MatcherAssert;
import org.hamcrest.core.Is;
import org.jose4j.lang.JoseException;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Optional;
import org.testng.annotations.Parameters;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.ControlPlaneMDSCluster;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.PostgresDbTestBed;

@Test
/* loaded from: input_file:parity/independent/V2CloudSetupTest.class */
public class V2CloudSetupTest {
    private static final String U_BROKER_SUPER_USER = "mds";
    private static final String U_ACME_ORG_ADMIN_USER = "acmeOrgAdmin";
    private static final String U_NO_ROLE_USER = "noRoleUser";
    private int actualMdsPort;
    private KafkaConfigTool.TokenPemFiles mdsPemFiles;
    private RbacClusters rbacClusters;
    private PostgresDbTestBed postgresDbTestBed;
    private ControlPlaneMDSCluster cloudMDSCluster;
    private String superUserToken;
    private String acmeOrgAdminToken;
    private final MdsScope acmeOrgScope = MdsScope.of(new Scope.Builder(new String[]{"organization=acme"}).build());
    private final MdsScope acmeStgEnv = MdsScope.of(new Scope.Builder(new String[]{"organization=acme", "environment=stg"}).build());
    private final String acmeOrgScopeStr = "{ 'path': ['organization=acme'], 'clusters' : {} }".replaceAll("'", LookupTest.PARTIAL_JSON_QUOTE);
    private final Client client = ClientBuilder.newClient();
    private String hostAndPort;

    @Parameters({"backend"})
    @BeforeClass
    public void setUp(@Optional("db") String str) throws Exception {
        this.mdsPemFiles = KafkaConfigTool.createTokenPemFiles();
        this.superUserToken = KafkaConfigTool.generateToken(this.mdsPemFiles.tokenKeyPair, "mds");
        this.acmeOrgAdminToken = KafkaConfigTool.generateToken(this.mdsPemFiles.tokenKeyPair, U_ACME_ORG_ADMIN_USER);
        RbacClusters.Config actualCloudConfig = KafkaConfigTool.actualCloudConfig("mds", 8090, this.mdsPemFiles.tokenPublicKey);
        if ("db".equals(str)) {
            this.postgresDbTestBed = new PostgresDbTestBed();
            this.postgresDbTestBed.setupDb();
            KafkaConfigTool.applyCloudDbConfig(actualCloudConfig, this.postgresDbTestBed);
            attachPlaintextListener(actualCloudConfig);
            this.cloudMDSCluster = new ControlPlaneMDSCluster(actualCloudConfig);
            this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.cloudMDSCluster);
        } else {
            if (!"topic".equals(str)) {
                throw new IllegalStateException("Unknown backend type : " + str);
            }
            attachPlaintextListener(actualCloudConfig);
            this.rbacClusters = new RbacClusters(actualCloudConfig);
            this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        }
        this.hostAndPort = "http://localhost:" + this.actualMdsPort;
        Assert.assertTrue(V2RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, this.superUserToken).addClusterRoleForPrincipal("User:acmeOrgAdmin", "OrganizationAdmin", this.acmeOrgScope).execute().isSuccessful());
    }

    @AfterClass
    public void teardownClass() {
        if (this.cloudMDSCluster != null) {
            this.cloudMDSCluster.shutdown();
        }
        if (this.postgresDbTestBed != null) {
            this.postgresDbTestBed.teardownDb();
        }
        if (this.rbacClusters != null) {
            this.rbacClusters.shutdown();
        }
        MdsTestUtil.releasePort(this.actualMdsPort);
    }

    @Test
    public void token_positiveAuthenticationTest() throws Exception {
        String generateToken = KafkaConfigTool.generateToken(this.mdsPemFiles.tokenKeyPair, U_NO_ROLE_USER);
        Assert.assertTrue(V2RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, generateToken).getRoleNames().execute().isSuccessful());
        Assert.assertEquals(curlRoleNamesWithAuthHeader(generateToken).getStatus(), 200);
        Assert.assertEquals(curlRoleNamesWithC3AuthCookie(generateToken).getStatus(), 200);
        Assert.assertEquals(curlRoleNamesWithC3AuthQueryParam(generateToken).getStatus(), 200);
    }

    /* JADX WARN: Type inference failed for: r0v9, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public Object[][] badTokens() throws JoseException {
        return new Object[]{new Object[]{"empty token", "", "invalid_request"}, new Object[]{"truncated legit token", this.superUserToken.substring(0, 40), "invalid_token"}, new Object[]{"from different key provider", KafkaConfigTool.generateToken(KafkaConfigTool.createTokenPemFiles().tokenKeyPair, U_ACME_ORG_ADMIN_USER), "invalid_token"}, new Object[]{"from different issuer", KafkaConfigTool.generateToken(this.mdsPemFiles.tokenKeyPair, U_ACME_ORG_ADMIN_USER, "NotConfluent"), "invalid_token"}};
    }

    @Test(dataProvider = "badTokens")
    public void token_negativeBadTokens(String str, String str2, String str3) throws Exception {
        Response execute = V2RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str2).getRoleNames().execute();
        Assert.assertEquals(401, execute.code());
        Assert.assertTrue(execute.errorBody().string().contains(str3));
        Assert.assertEquals(curlRoleNamesWithAuthHeader(str2).getStatus(), 401);
        Assert.assertEquals(curlRoleNamesWithC3AuthCookie(str2).getStatus(), 401);
        Assert.assertEquals(curlRoleNamesWithC3AuthQueryParam(str2).getStatus(), 401);
    }

    @Test
    public void token_negativeNoToken() throws Exception {
        Response execute = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort).getRoleNames().execute();
        Assert.assertEquals(401, execute.code());
        Assert.assertTrue(execute.errorBody().string().contains("Unauthorized"));
        Assert.assertEquals(this.client.target(this.hostAndPort).path("/security/v2alpha1/roleNames").request(new String[]{"application/json"}).get().getStatus(), 401);
    }

    private javax.ws.rs.core.Response curlRoleNamesWithAuthHeader(String str) {
        return this.client.target(this.hostAndPort).path("/security/v2alpha1/roleNames").request(new String[]{"application/json"}).header("Authorization", "Bearer " + str).get();
    }

    private javax.ws.rs.core.Response curlRoleNamesWithC3AuthQueryParam(String str) {
        return this.client.target(this.hostAndPort).path("/security/v2alpha1/roleNames").queryParam("access_token", new Object[]{str}).request(new String[]{"application/json"}).get();
    }

    private javax.ws.rs.core.Response curlRoleNamesWithC3AuthCookie(String str) {
        return this.client.target(this.hostAndPort).path("/security/v2alpha1/roleNames").request(new String[]{"application/json"}).header("Cookie", "auth_token=" + str).get();
    }

    @Test
    public void token_positiveRoleBinding() throws Exception {
        Assert.assertTrue(V2RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, this.acmeOrgAdminToken).addClusterRoleForPrincipal("User:PositiveEnvAdminUser", "EnvironmentAdmin", this.acmeStgEnv).execute().isSuccessful());
    }

    @Test
    public void token_negativeRoleBinding() throws Exception {
        Response execute = V2RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, this.acmeOrgAdminToken.substring(0, 60)).addClusterRoleForPrincipal("User:NegativeEnvAdminUser", "EnvironmentAdmin", this.acmeStgEnv).execute();
        Assert.assertFalse(execute.isSuccessful());
        Assert.assertEquals(401, execute.code());
    }

    @Test
    public void configuration_tokenGenerationEndpointDoesNotExist() throws Exception {
        Response execute = V2RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, this.superUserToken).issueToken().execute();
        MatcherAssert.assertThat(Boolean.valueOf(execute.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(execute.code()), Is.is(404));
    }

    @Test
    public void configuration_basicAuthIsDisabled() throws Exception {
        Response execute = V2RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, "mds", "mds").getRoleNames().execute();
        MatcherAssert.assertThat(Boolean.valueOf(execute.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(execute.code()), Is.is(401));
    }

    @Test
    public void configuration_disabledEndpointsValidToken() throws Exception {
        V2RbacRestApi buildWithToken = V2RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, this.acmeOrgAdminToken);
        Response execute = buildWithToken.issueToken().execute();
        MatcherAssert.assertThat(Boolean.valueOf(execute.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(execute.code()), Is.is(404));
        Response execute2 = buildWithToken.clearToken().execute();
        MatcherAssert.assertThat(Boolean.valueOf(execute2.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(execute2.code()), Is.is(404));
        Response execute3 = buildWithToken.refreshToken().execute();
        MatcherAssert.assertThat(Boolean.valueOf(execute3.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(execute3.code()), Is.is(404));
    }

    @Test
    public void configuration_disabledEndpointsInvalidToken() throws Exception {
        V2RbacRestApi buildWithToken = V2RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, "invalid token");
        Response execute = buildWithToken.issueToken().execute();
        MatcherAssert.assertThat(Boolean.valueOf(execute.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(execute.code()), Is.is(401));
        Response execute2 = buildWithToken.clearToken().execute();
        MatcherAssert.assertThat(Boolean.valueOf(execute2.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(execute2.code()), Is.is(401));
        Response execute3 = buildWithToken.refreshToken().execute();
        MatcherAssert.assertThat(Boolean.valueOf(execute3.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(execute3.code()), Is.is(401));
    }

    @Test
    public void anonymous_noTokenIsNotTreatedAsAnonSuperUser() {
        Assert.assertEquals(204, this.client.target(this.hostAndPort).path("/security/v2alpha1/principals/User:Alice/roles/OrganizationAdmin").request(new String[]{"application/json"}).header("Authorization", "Bearer " + this.superUserToken).post(Entity.json(this.acmeOrgScopeStr)).getStatus());
        Assert.assertEquals(401, this.client.target(this.hostAndPort).path("/security/v2alpha1/principals/User:Bob/roles/OrganizationAdmin").request(new String[]{"application/json"}).post(Entity.json(this.acmeOrgScopeStr)).getStatus());
    }

    /* JADX WARN: Type inference failed for: r0v19, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public Object[][] kafkaAdminClients() {
        int intValue;
        AdminClient createPlaintextAdminClient;
        AdminClient buildAdminClient;
        if (this.rbacClusters != null) {
            createPlaintextAdminClient = createPlaintextAdminClient(this.rbacClusters.metadataCluster);
            intValue = ((Integer) ((KafkaServer) this.rbacClusters.metadataCluster.brokers().get(0)).config().get("broker.id")).intValue();
            buildAdminClient = mdsExternalClientBuilder(this.rbacClusters.metadataCluster, ((User) this.rbacClusters.users.get("mds")).jaasConfig).buildAdminClient();
        } else {
            intValue = ((Integer) ((KafkaServer) this.cloudMDSCluster.metadataCluster.brokers().get(0)).config().get("broker.id")).intValue();
            createPlaintextAdminClient = createPlaintextAdminClient(this.cloudMDSCluster.metadataCluster);
            buildAdminClient = mdsExternalClientBuilder(this.cloudMDSCluster.metadataCluster, this.cloudMDSCluster.users.get("mds").jaasConfig).buildAdminClient();
        }
        return new Object[]{new Object[]{"anon kafka client", createPlaintextAdminClient, Integer.valueOf(intValue)}, new Object[]{"legit SU kafka client", buildAdminClient, Integer.valueOf(intValue)}};
    }

    @Test(dataProvider = "kafkaAdminClients")
    public void anonymous_sanityCheckBrokerConfig(String str, AdminClient adminClient, int i) throws Exception {
        try {
            ConfigResource configResource = new ConfigResource(ConfigResource.Type.BROKER, Integer.toString(i));
            Map map = (Map) adminClient.describeConfigs(Collections.singleton(configResource)).all().get();
            Assert.assertEquals(map.size(), 1);
            ConfigEntry configEntry = ((Config) map.get(configResource)).get("background.threads");
            Assert.assertNotNull(configEntry);
            Assert.assertEquals(configEntry.value(), "10");
            if (adminClient != null) {
                adminClient.close();
            }
        } catch (Throwable th) {
            if (adminClient != null) {
                adminClient.close();
            }
            throw th;
        }
    }

    private void attachPlaintextListener(RbacClusters.Config config) {
        config.overrideMetadataBrokerConfig(KafkaConfig$.MODULE$.ListenersProp(), "EXTERNAL://localhost:0,INTERNAL://localhost:0,PLAINTEXT://localhost:0");
        config.overrideMetadataBrokerConfig(KafkaConfig$.MODULE$.ListenerSecurityProtocolMapProp(), "EXTERNAL:SASL_PLAINTEXT,INTERNAL:SASL_PLAINTEXT,PLAINTEXT:PLAINTEXT");
    }

    public KafkaTestUtils.ClientBuilder mdsExternalClientBuilder(EmbeddedKafkaCluster embeddedKafkaCluster, String str) {
        return new KafkaTestUtils.ClientBuilder(embeddedKafkaCluster.bootstrapServers("EXTERNAL"), SecurityProtocol.SASL_PLAINTEXT, "SCRAM-SHA-256", str);
    }

    private AdminClient createPlaintextAdminClient(EmbeddedKafkaCluster embeddedKafkaCluster) {
        return KafkaTestUtils.createAdminClient(embeddedKafkaCluster.bootstrapServers("PLAINTEXT"), SecurityProtocol.PLAINTEXT, "", "");
    }
}
